
require 'active_record/permissions'
require 'action_controller/restricted_access'





# user auth in a restful universe

# browser asks for a restricted resource
# GET /posts/34
#
# :401
#
# Post resource returns status 401 "Unauthorized"
# and displays an HTML login form containing error message like "You cannot READ this resource" 
# if their is not current a user attached to the session, 
#   show a login form containing all of the previous HTTP request
#   and asking for a username/password 
# else
#   display "you are logged in as Frank, if this is not you click here to login+retry the request"
#   'click here' would display a form as above
#
# the browsers retries the request as before 
# ...but also includes the request params "AUTH[USERNAME]" and "AUTH[PASSWORD]"
#
# if user invalid GOTO :401
# else the details are saved for duration of session
# and the original resource is displayed


# manual login
# required if you want to authorize the session before
# trying to access a restricted resource
#
# PUT /session/029375034975309 => "I'm Jefferson and my password is xxxxxx"


# user logout in restful universe
#
# browser asks to kill session
# DELETE /session/3049670349766
#
# Session resource returns 303 to home-page [/]






#set header with meta http-equi ?
#set head with JS: 






#############

# roadmap
#
# extend CGI::Session to handle the fake-user-association cleanly
# equivilent to belongs_to :user (@session.user = @user )
# class CGI::Session
#   has_one :user
# end
#
# permissions system to sit on a User model
# User should impliment .guest_permissions to set default
# permissions for anonymous-users
#
# use ActiveRecord filters to ask permission on :
#
# impliment a restricted_access(@user) { do_code } type block
# to catch models raising AccessDenied errors and display the
# 401 page
#
# 
